This allows for the RotationControl to be automatically added to the
Log::rotation_control table for the filter's (writer, path) when it is
added to a stream via Log::add_filter. Log::remove_filter now also
removes any RotationControl's associated with the filter from the
Log::rotation_control table.
This can be used from a Bro script to cause Bro to exit with non-zero
status and a message to stderr. Uses of the exit() BIF in scripts
for terminating Bro because of an error were replaced with this one,
which addresses #564.
* origin/topic/gregor/script-polishing:
Tune when c$conn is set.
Set c$conn (for logging) in new_connection() event.
(Semiautomatically) convert the comments in bare-init.bro into autodoc ones.
Add ConnSize_Analyzer's fields to conn.log
SSH base scripts: make sure ConnSizeAnalyzer variables are available before using them.
Make reference to the other script a link
When a given log was rotated, a new log was opened immediately. If that
log was never written to again, those empty logs perpetually rotate, too.
This change makes it so a log won't be created for a given rotation interval
if there was nothing written to it in that interval.
Binpac exceptions caught in Analyzer.cc are passed to Reporter::Weird
and from there to Reporter::WeirdHelper. WeirdHelper has var args, to
support passing them on to DoLog, but there were no forced format
strings. Since the binpac exception can contain network data which can
contain %-characters, that caused segfaults.
The SSL analyzer used excessive amounts of memory after a gap. We fix
this by tracking whether there was gap and not delivering any more data
if there was.
- Since each host in a cluster has it's own view of the metrics
the only time the manager would get a chance for a global view
is the break_interval. This update improves that time. If a
worker crosses 10% of the full threshold, it will send it's
value to the manager which can then ask the rest of the cluster
for a global view. The manager then adds all of the values for
each workers metric indexes together and will do the notice
if it crosses the threshold so that it isn't dependent on
waiting for the break interval to hit. This functionality
works completely independently of the break_interval too. Logging
will happen as normal.
- Small update for SSH bruteforcer detection to match additions in
the metrics framework API.
- The hope is that this update is mostly invisible from anyone's
perspective. The only affect it should have on users is to better
the detection of metric values crossing thresholds on cluster
deployments.
After discussion with Seth we now set c$conn in
connection_state_remove() with priority 5, and log it with priority -5.
If users want to extend c$conn before connection_state_remove, they can
just create c$conn and add custom fields.
Addresses: #554
Reading from an interface like `bro -i en0` no longer expects to
start reading stdin for a script to load. Explicitly passing in
'-' as an additional command line argument still allows reading a
script from stdin.
Closes#561
The hash function was internally casting the void* data argument into an
unsigned char* and then using values from that to index another internal
array that's dimensioned based on the assumption of 256 values possible
for an unsigned char (8-bit chars/bytes). This is probably a correct
assumption most of the time, but should be safer to use the limits as
defined in standard headers to get it right for the particular
system/compiler.
There was an unused uint8* casted variable in HashKey::HashBytes that
seemed like it might have been meant to be passed to H3's hash function
as an unfinished attempt to solve the 8-bit byte assumption problem, but
that doesn't seem as good as taking care of that internally in H3 so
users of the API are only concerned with byte sizes as reported by
`sizeof`. Removing the unused variable addresses #530.
Also a minor tweak to an hmac_md5 call that was casting away const from
one argument (which doesn't match the prototype).
- fixing some Metrics::add_data() call signatures
- slight refactors to cluster framework @if and adding a NONE NodeType for
so local_node_type() will return that instead of just emitting an error
when cluster mode isn't enabled
- `make restdoc` target now uses bro's bare-mode
- bro scripts generated from bifs now really only live in the build/src/base/
directory and changed the DocSourcesList.cmake to dynamically figure out
what bifs exist by looking in src/ instead of build/src/
- add some missing @load dependencies
